How does F5 LTM re-encrypt data with serverssl profile?

If I may add, an SSL connection always starts with a CLIENTHELLO message - the client's desire to start an SSL session. The client says "hello" and then lists all the ciphers it supports. The server subsequently responds with SERVERHELLO and chooses one of the client's ciphers.

The server SSL profile, being the client to the Apache server, initiates the SSL session. During that handshake several attributes of the session are negotiated, including cipher strength, the ability to renegotiate, and how to handle various events. You do have some client side control over these decisions in the server SSL profile. There are two sections in the server SSL profile where you deal with certificates. The certificate and key in the main configuration specify the CLIENT certificate that the server SSL profile can send to the Apache server. This is a certificate/key pair installed on the BIG-IP and not the user's certificate/key pair, so it's value here is limited. Under Server Authentication, you can specify how to handle the server's certificate, which is passed from the server during the negotiation. A setting of ignore means that the server SSL profile doesn't attempt to validate the server's certificate (like getting the certificate trust nag screen in the browser). A setting of require means the profile will validate the server's certificate, and you need a Trusted Certificate Authorities certificate (or bundle) to build that trust chain. You can optionally check the server's certificate against a certificate revocation list (CRL).

As afedden states, you only need the client and server SSL profile if you intend to inspect the layer 7 (HTTP) traffic, or perhaps do cookie persistence. You can otherwise remove both SSL profiles and let the client and Apache server negotiate direct SSL.

You can also, optionally on v11 systems, do SSL "man-in-the-middle" where the client and Apache server negotiate SSL directly, but the BIG-IP has access to the layer 7 payload.